Single Sign on Configuration Overview

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude
• Connect to Cursor

  Install MCP server on Cursor
• Connect to VS Code

  Install MCP server on VS Code

The configuration for SSO requires work to be done in the following areas:

• The Identity Provider (IdP) environment, by the Administrator of the IdP

• TD Console, by the TD account owner or an administrator

Continue to the following topics:

• Administrator for the Identity Provider
• Treasure Data Account Owner or Administrator
• FAQs
• Could I use same company email in both accounts set up with SSO?

Administrator for the Identity Provider

In the IdP environment, you add Treasure Data to your list of authorized applications. You can view and configure multiple IdPs as well as sign-in methods. In your IdP, each Treasure Data account is added as a separate application. You assign your users to the Treasure Data applications, as needed.

Treasure Data Account Owner or Administrator

As the Treasure Data Account owner or an administrator, you configure trust settings and assign users to SSO access. You configure the trust setting in each of your Treasure Data accounts. You can configure trust settings using TD Console or TD APIs. For TD API support, contact your Customer Success Representative.

Each of your Treasure Data accounts with SSO enabled is assigned a unique name within Treasure Data. The assigned name is used in your IdP configuration. The ID is not editable.

For detailed configuration steps, see Configuring SSO in TD Console.

FAQs

Could I use same company email in both accounts set up with SSO?

Yes. The two following conditions must be met to use a single email for multiple accounts set up with SSO.

1. Support could share the AWS account name for the customer to attach to the Console URL

aws:1XXX9 - abcde12345abcde12345 - https://console.us01.treasuredata.com/users/initiate_sso?account_name=abcde12345abcde12345 aws:1XXX2 - 11aa22bb33cc44dd55ee - https://console.us01.treasuredata.com/users/initiate_sso?account_name=11aa22bb33cc44dd55ee

2. IdP Account Name would have to be different per account, then, the customer could use the same email for both accounts.

• If you elect not to choose this route, the only other option to create same user with distinct emails for two different accounts is to create email aliases per account. For instance, tina+prod@example.com and tina+testing@example.com.
• The IdP customer chooses needs to support “+” sign in email.
• Audit logs will not be affected, as user_id are different per users even if the email is same.